Getting Started with SMSPassword

In this blog post I’m going to show you how you can secure your Netscaler Gateway or VMware Authentication Server with SMSPassword 2-factor authentication in 5 minutes!

The moment you open your firewall for remote access you’re putting your lab or production environment into the danger zone. If you’re a blogger like me, it’s very likely that you have IP and/or account information somewhere in your blog posts that makes it very easy for hackers to attack.

2-factor-auth

I have to admit that I’ve not been to worried about my home lab before, but now that my entire xenapptraining.com business is running on Office 365 with Active Directory Federation Services, I’m forced to be more careful. The only way to accomplish that is by using 2-factor authentication.

Luckily there’s a cheap solution to my problems, and it’s even FREE for two users. Meet Citrix Ready SMSPassword.

SMSPassword Configuration

First download your trail here.

The software doesn’t rely on Microsoft Radius, so there’s no need to configure Network Policy Server. Therefore, it’s perfect to install it on your Citrix StoreFront Server(s). All settings is saved in the smspassword.cfg file.

Getting Started With SMSPassword 05

Start SMSPasswordConfig.exe as Administrator and begin the configuration.

For Radius you’ll use the IP address of your Netscaler NSIP. Use a password generator to create a complex shared secret key.

By default SMSPassword will query the default AD Group SMSPassword for active users.

Getting Started With SMSPassword 02

I went with BulkSMS as SMS dispatcher and bought a batch of 300 credits for only $11.50.

You can specify the password length and if you want a mix of characters and numbers. I wanted just number so I deleted the characters.

Getting Started With SMSPassword 03

When you’re happy with the Configuration, select the Service Control tab and install the service. From there you have direct access to the event logs.

Getting Started With SMSPassword 04

BulkSMS also have a nice interface where you can check your message history.

Getting Started With SMSPassword 14

SMSPassword Netscaler Gateway Configuration

Log into your Netscaler and navigate to System – Authentication – Radius and Add a new Policy with the expression ns_true.

Getting Started With SMSPassword 07

In the Server Policy you set the IP Address of the server running the SMSPassword service and time-out to 100 with Accounting Off.

Getting Started With SMSPassword 08

Getting Started With SMSPassword 06

The Radius service will authentication the user with Active Directory, so you don’t need the LDAP policy anymore, just replace it with Radius.

Getting Started With SMSPassword 09

Log in with username and password.

Getting Started With SMSPassword 11

Getting Started With SMSPassword 12

Straight after you’ll get your One-Time Password.

Getting Started With SMSPassword 13

To add an extra layer of security I’ve configured a Session Recording Policy for the SMSPassword AD Group. Learn more in the post The Complete Guide to Citrix Session Recording.

So whenever I have external consultants accessing my system, their session will be recorded and it’s actually a good thing because I can replay the video and learn from their troubleshooting techniques.

smspassword

That’s it! While you’re at it, you should Make your NetScaler SSL VIPs More Secure. Great post by fellow CTP Anton van Pelt.

5 Responses to Getting Started with SMSPassword

  1. Hi Eirik. Thanks for your article. Just to be sure, the trial version of SMSPassword has no time limit and is free for two users?

Leave a reply